GCVE BCP-05-X-01: AI-Assisted Vulnerability Information Annotation

Status

Proposed Extension to GCVE BCP-05

Abstract

This document defines an extension to GCVE BCP-05 to support the annotation of vulnerability records where Artificial Intelligence (AI) or automated processing has been used during their creation, enrichment, or analysis.

The objective is to provide transparency, traceability, and classification of AI-assisted contributions within vulnerability information, enabling consumers to assess trust, provenance, and review levels.

1. Scope

This extension applies to any GCVE record conforming to BCP-05 where:

• AI/ML models contributed to content generation, transformation, or classification
• Automated systems assisted human analysts
• Content was partially or fully generated by machine learning systems

This extension is optional but RECOMMENDED when such processing occurs.

2. Extension Identifier

The extension identifier SHALL follow the GCVE BCP extension naming convention:

GCVE BCP-05-X-01

3. Data Model

3.1 Field Location

The AI annotation MUST be attached at one of the following levels:

• record-level: applies to the entire GCVE entry
• field-level: applies to specific fields within the record

The extension SHALL be embedded under:

"x_gcve": [
    {
    "extensions": {
         "bcp-05-x-01": { ... }
    }}]

3.2 Structure

"bcp-05-x-01": {
  "ai_annotations": [
    {
      "scope": "record | field",
      "field_name": "string (optional if scope=record)",
      "tags": ["string"],
      "description": "string",
      "ai_level": "none | assisted | augmented | generated",
      "review_status": "none | partial | full",
      "models": [
        {
          "name": "string",
          "version": "string (optional)",
          "provider": "string (optional)",
          "source": "ollama | huggingface | local | other",
          "identifier": "string (optional)"
        }
      ]
    }
  ]
}

4. Field Definitions

4.1 scope

Defines the applicability of the AI annotation.

• record: applies to the entire vulnerability record
• field: applies to a specific field (e.g., description, references)

4.2 field_name

Specifies the affected field when scope = field.

Examples:

• description
• title
• references
• analysis

4.3 tags

The tags field is an array of classification labels describing the type and nature of AI-assisted processing applied to the vulnerability information.

Implementations are STRONGLY RECOMMENDED to reuse existing, well-defined taxonomies instead of defining ad-hoc or free-form tags. This improves interoperability, consistency, and machine-readability across GCVE producers and consumers.

In particular, the following MISP taxonomies SHOULD be preferred when applicable:

• AI Bias Terminology
  MISP taxonomies and classification as machine tags

• AI Computer Assisted
  MISP taxonomies and classification as machine tags

• AI Safety Benchmark
  MISP taxonomies and classification as machine tags

These taxonomies provide structured vocabularies to describe:

• The type of AI assistance (e.g., generation, classification, summarization)
• The level and nature of automation or augmentation
• Potential biases, risks, or safety considerations in AI-generated outputs

Tags derived from these taxonomies SHOULD follow their canonical naming and namespace conventions.

Example:

"tags": [
  "ai-computer-assisted:llm-generated",
  "ai-computer-assisted:classification",
  "ai-bias:potential-hallucination"
]

Free-form tags MAY still be used when:

• No suitable taxonomy entry exists
• Experimental or domain-specific annotations are required

However, such tags SHOULD:

• Be clearly namespaced (e.g., ai:custom-*)
• Avoid conflicting with existing taxonomy vocabularies
• Be documented for downstream consumers

Producers SHOULD prioritize taxonomy-aligned tagging whenever possible to ensure consistency across GCVE records.

4.4 description

Free-text description of the AI-assisted operation.

4.5 ai_level

Defines the level of AI involvement:

• none
• assisted
• augmented
• generated

4.6 review_status

Indicates the level of human validation:

• none
• partial
• full

4.7 models

List of AI models involved in the process.

5. Examples

Record-Level Annotation

(see specification)

6. Security and Trust Considerations

Consumers SHOULD evaluate AI-generated content carefully.

7. Interoperability Considerations

Backward-compatible with BCP-05. The extension can be safely discarded if not used.

Shouldn’t the models and review_status fields be omitted if the ai_level is none ? And having an url field in the model could maybe help for identifying the model when the source is other